Securely Manage Secrets with HashiCorp Vault

Vault is a free and open-source tool from HashiCorp that can be used for securely storing and accessing secrets. Vault stores and tightly controls access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. Vault provides an interface to any secret and recording a detailed audit log. You can keep your database credentials, API keys for external services, credentials in the vault. Vault supports multiple storage backends including consul, local disk and cloud storage. Vault enables developers and security professionals to deploy applications in zero-trust environments across public and private data centers.

In this tutorial, we will learn how to manage secretes with HashiCorp Vault on an Alibaba Cloud Elastic Compute Service (ECS) instance with Ubuntu 16.04 installed.

Prerequisites

For reference, check out create a new ECS instance and connect to your instance. Next, once you are logged into your Ubuntu 16.04 instance, you'll need to run the apt-get update -y command to update your base system with the latest available packages.

Install Vault

As the first part of this tutorial, you will need to download the latest version of Vault source from their official website. You can download it along with checksum with the following command:

You can also verify the Vault version with the vault –version command. The output will look like this:

Vault v0.11.4 ('612120e76de651ef669c9af5e77b27a749b0dba3')

Initialize Vault

When you start Vault first time, it will be uninitialized that means it isn't ready to get and store data. As the first step, set an environment variable to tell the vault command how to connect to the Vault server with the following command:

export VAULT_ADDR=http://alibabatest.com:8200

Next, check the vault is in an uninitialized state by running the vault status command. The resulting output will be:

Next, initialize the Vault using the vault init -key-shares=3 -key-threshold=2 command. The output will look like this:

WARNING! The "vault init" command is deprecated. Please use "vault operator
init" instead. This command will be removed in Vault 0.12.
Unseal Key 1: GxaoGqVbDRlpDbeZJcf23rUeFzo0XprfhqJ2oGgykcwK
Unseal Key 2: mfhRgTXxTb6jMn3hwEuBEsp7TGbnv0U38qnjqJ4I4Cnc
Unseal Key 3: 0YCai3UWTsHLLhUL8vK9qNVPQ5zNEdCdp+MYi4OvDhtN
Initial Root Token: 5L6ArACs6QTJ4xtz9bVrXsFR
Vault initialized with 3 key shares and a key threshold of 2. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 2 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

It is recommended to save each unseal token and the initial root token in a secure place.

Now, vault is initiated but sealed. So you will need to unseal Vault using the newly created unseal tokens. You will need at least two unseal keys in order to make the service become available and ready to use.

Test Vault

Vault is now installed and configured, so now it's time to test how Vault will write, store and read secrets. First, you will need to store the previously generated root token in the environment variable. You can do this with the following command:

root_token=5L6ArACs6QTJ4xtz9bVrXsFR

Next, write a value to a Vault with the following command:

VAULT_TOKEN=$root_token vault write secret/message value=testing

The output will look like this:

Success! Data written to: secret/message

Next, you will need to create a policy file with the nano policy.hcl command. And also add the following lines:

path "secret/message" {
capabilities = ["read"]
}

Save and close the file. Then, write this policy to Vault with the following command: